adds a default route (which will be used if no other route matches). All packets using this route will be gatewayed through "mango-gw". The device which will actually be used for that route depends on how we can reach "mango-gw" - the static route to "mango-gw" will have to be set up before.

route add ipx4 sl0

Adds the route to the "ipx4" host via the SLIP interface (assuming that "ipx4" is the SLIP host).

route add -net 192.57.66.0 netmask 255.255.255.0 gw ipx4

This command adds the net "192.57.66.x" to be gatewayed through the former route to the SLIP interface.

route add -net 224.0.0.0 netmask 224.0.0.0 eth0

route add -net 224.0.0.0 netmask 224.0.0.0 eth3

route delete -net 224.0.0.0 netmask 224.0.0.0 eth0

route delete -net 224.0.0.0 netmask 224.0.0.0 eth3

route -e

arp

Clear, add to, or dump the kernel's ARP cache, the arp command displays and modifies the Internet-to-adapter address translation tables used by the Address in Networks and communication management. The arp command displays the current ARP entry for the host specified by the HostName variable. The host can be specified by name or number, using Internet dotted decimal notation.

Since an interface may receive transmissions in differing protocols, each of which may require separate naming schemes, you can specify the address_family to change the interpretation of the remaining parameters. You may specify inet (the default; for TCP/IP), ax25 (AX.25 Packet

Radio), ddp (Appletalk Phase 2), or ipx (Novell).

Parameters

broadcast

(inet only.) Specify address to use to represent broadcasts to the network. Default is the address with a host part of all 1s (i.e.,x.y.z.255 for a class C network).

dest_address

Specify the address of the correspondent on the other end of a

point-to-point link.

down Mark an interface "down" (unresponsive).

hw class address

Set the interface's hardware class and address. class may be ether (Ethernet), ax25 (AX.25 Packet Radio), or ARCnet.

netmask mask

(inet only.) Specify how much of the address to reserve for subdividing networks into subnetworks. mask can be specified as a single hexadecimal number with a leading 0x, with a dot notation Internet address, or with a pseudonetwork name listed in the network table /etc/networks.

pointopoint/-pointopoint [address]

Enable/disable point-to-point interfacing, so that the connection between the two machines is dedicated.

-r --negotiate restarts auto-negotiation on the specified ethernet device, if auto-negotiation is enabled.

ethtool en0 |grep Speed

-t –test executes adapter selftest on the specified ethernet device

insmod filename [module-options]

System administration command. Load the module filename into the kernel. Simpler but less flexible than the modprobe command.

modprobe [options] [modules]

System administration command. With no options, attempt to load the specified module, as well as all modules on which it depends. If more than one module is

specified, attempt to load further modules only if the previous module failed to load.

-a Load all listed modules, not just the first one.

-l [pattern] List all existing modules.

-r Remove the specified modules, as well as the modules on which they depend.

-t type Load only a specific type of module. Consult /etc/conf.modules for the

directories in which all modules of that type reside.

Related: /sbin/insmod, /sbin/rmmod, /sbin/depmod

dmesg is used to examine or control the kernel ring buffer.

dmesg [ -c ] [ -n level ] [ -s bufsize ]

-sbufsize

Use a buffer of size bufsize to query the kernel ring buffer. This is 16392 by default.

-nlevel

Set the level at which logging of messages is done to the console. For example, -n 1 prevents all messages, expect panic messages, from appearing on the console. All levels of messages are still written to /proc/kmsg, so syslogd(8) can still be used to control exactly where kernel messages appear. When the -n option is used, dmesg will not print or clear the kernel ring buffer.

dmesg | grep -i usb

dmesg | grep -i tty

dmesg | grep -i memory

dmesg | grep -i dma

The output of dmesg is maintained in the log file /var/log/dmesg.

Configuration Files:

/etc/dhcpd.conf

/etc/hosts - locally resolve node names to IP addresses

/etc/resolv.conf - host name resolver configuration file

search name-of-domain.com - Name of your domain or ISP's domain if using their name server

nameserver XXX.XXX.XXX.XXX - IP address of primary name server

nameserver XXX.XXX.XXX.XXX - IP address of secondary name server

This configures Linux so that it knows which DNS server will be resolving domain names into IP addresses. If using DHCP client, this will automatically be sent to you by the ISP and loaded into this file as part of the DHCP protocol. If using a static IP address, ask the ISP or check another machine on your network.

Bug fixing

Lesson 1:In the program, Some
threads are designed to run forever until program is shutdown, but
unfortunately, they didn't capture all-possibly-thrown exceptions,
and this would cause thread exit unexpectedly.

Lesson 2:
When program runs slowly or weirdly, check system status, and all
possibility, and guess reasonably.

Some tests defects look very weird,
the program can not send out multicast messages intermittently. At
first, I guess it may be code problem, or because we have upgraded
machine to new operating system, new JDK, so maybe new OS or new
JDK is the culprit. when I do test, I found that when I hit the
problem, the command 'java -version' would hang for ever. But at that
moment, I ignore this obvious information.At last my colleague
figure out the root cause of the problem, that is because one process
in the machine consumes too many system resource, which cause all
other processes to starve and frozen, and run extremely slow.UID
PID PPID C STIME TTY TIME CMDroot 307694
1 50 15:14:20 - 33:08 /process_cmd C

(-f, l, and -l flags) CPU utilization
of process or thread, incremented each time the system clock ticks
and the process or thread is found to be running. The value is
decayed by the scheduler by dividing it by 2 once per second.For
the sched_other policy, CPU utilization is used in determining
process scheduling priority. Large values indicate a CPU intensive
process and result in lower process priority whereas small values
indicate an I/O intensive process and result in a more favorable
priority.

How stupidly I didn't use ps and top command to
check system run status, and ignore when I discover 'java -version'
hang, and didn't catch the connection.

You
want to log requests that go through your proxy to a different
file than the requests coming directly to your server.

<Proxy
*>SetEnv is_proxied 1</Proxy>

CustomLog
logs/proxy_log combined env=is_proxied

If
you want to apply different directives to different proxied paths:

<Directory
proxy:*>RewriteEngine On

RewriteRule
"\.(gif|png|jpg)$" "-" [ENV=proxied_image:1]

RewriteCond
"%{ENV:proxied_image}" "!1"

RewriteRule
"^" "-" [ENV=proxied_other:1] </Directory>

CustomLog
logs/proxy_image_log combined env=proxied_image

CustomLog
logs/proxy_other_log combined env=proxied_other

Directives
in the <Directory proxy:*> container will only apply to
requests going through your server

Logging
Errors for Virtual Hosts to Multiple Files

Unlike
activity logs, Apache will log error messages only to a single
location. If the error is related to a particular virtual host and
this host's <VirtualHost> container includes an ErrorLog
entry, the error will be logged only in this file, and it won't
appear in any global error log. If the <VirtualHost> does not
specify an ErrorLog directive, the error will be logged only to the
global error log.

Solution:
Use piped logging to duplicate log entries:

ErrorLog
"| tee logfile1 | tee logfile2 > logfile3"

Logging
Server IP Addresses

You
want to log the IP address of the server that responds to a
request, possibly because you have virtual hosts with multiple
addresses each.

Use
the %A format effector in a LogFormat or CustomLog directive:

CustomLog
logs/served-by.log "%A"

Logging
the Referring Page: %{Referer}i

Logging
the Name of the Browser Software: %{User -Agent}i

Logging
Arbitrary Request Header Fields

Use
the %{...}i log format variable in your access log format
declaration. such as %{Host}i

There
are two different types of virtual host supported by Apache. The
first type, called address-based or IP-based, is tied to the
numeric network address used to reach the system. The other
type of virtual host is called name-based because the server's
response depends on the name by which it was called. The
environment defined by the directives outside any <VirtualHost>
containers is sometimes called the "default server,"
"main server," or perhaps the "global server."

Setting
Up Name-Based Virtual Hosts

ServerName
127.0.0.1

NameVirtualHost
*:80

<VirtualHost
*:80>ServerName TheSmiths.name

ServerAlias
www.TheSmiths.name Smith.Family.name

DocumentRoot
"C:/Apache/Sites/TheSmiths"</VirtualHost>

<VirtualHost
*:80>ServerName JohnSmith.name

DocumentRoot
"C:/Apache/Sites/JustJohnSmith"</VirtualHost>

The
*:80 in the previous rules means that the specified hosts run
on all addresses.

The
argument to the <VirtualHost> container directive needs to
match the argument in a NameVirtualHost directive.

Multiple
names can be listed for a particular virtual host using the
ServerAlias directive:

ServerAlias
www.TheSmiths.name Smith.Family.name

You
must still add records to your DNS server so that the names
resolve to the IP address of the server system.

Designating
One Name-Based Virtual Host as the Default

Add
the following <VirtualHost> section, and list it before all
of your other ones:

<VirtualHost
*:80>ServerName default

DocumentRoot
/www/htdocs

ErrorDocument
404 /site_list.html</VirtualHost>

Setting
Up Address-Based Virtual Hosts

You
have multiple IP addresses assigned to your system, and you want
to support one Web site on each.

ServerName
127.0.0.1

<VirtualHost
10.0.0.1>ServerName Example.Com

DocumentRoot
"C:/Apache/Sites/Example.Com"</VirtualHost>

<VirtualHost
10.0.0.2>ServerName JohnSmith.Example.Com

DocumentRoot
"C:/Apache/Sites/JustJohnSmith"</VirtualHost>

Creating
a Default Address-Based Virtual Host

Use
the _default_ keyword to designate a default host:

<VirtualHost
_default_> DocumentRoot /www/htdocs</VirtualHost>

The
_default_ keyword creates a virtual host that catches all
requests for any address:port combinations for which there is no
virtual host configured.

The
_default_ directive may—and should—be used in conjunction with
a particular port number, such as:

<VirtualHost
_default_:443>

Mixing
Address-Based and Name-Based Virtual Hosts

Mass
Virtual Hosting Using Rewrite Rules

Use
directives from mod_rewrite to map to a directory based on the
hostname:

RewriteEngine
on

RewriteCond
"%{HTTP_HOST}" "^(www\.)?([^.]+)\.com"

RewriteRule
"^(.*)$" "/home/%2$1"

The
directives in the Solution map requests for www.something.com to the
directory /home/something.

You
want to serve content out of a directory other than the
DocumentRoot directory.

Alias
"/desired -URL-prefix" "/path/to/other/directory"

You
may also need to add a few configuration directives to permit
access to the directory that you are mapping to. An error message
(in your error_log file) saying that the request was "denied
by server configuration" usually indicates this condition.
It is fairly common—and recommended —to configure Apache to
deny all access, by

default,
outside of the DocumentRoot directory.

<Directory
"/path/to/other/directory "> Order allow,deny

Allow
from all</Directory>

the
Alias is very strict with respect to slashes. To avoid problem,
create Aliases without the trailing slash on each argument.

Creating
a New URL for Existing Content: Alias "/newurl"
"/www/htdocs/oldurl"

Giving
Users Their Own URLs

If
you want users' Web locations to be under their home directories,
add this to your httpd.conf file:

UserDir
public_html

To
put all users' Web directories under a central location: UserDir
"/www/users/*/htdocs"

If
you want to let users access their home directory without having
to use a tilde (~) in the URL, you can use mod_rewrite to perform
this mapping:

Whereas
Alias maps a URL to something in the local filesystem, Redirect maps
a URL to another URL, usually on another server. The second argument
is a full URL and is sent back to the client, which makes a
second request for the new URL.

Redirections
come in several different flavors: temp, permanent, gone, seeother.

Redirecting
Several URLs to the Same Destination

RedirectMatch
"^/[fF]ish(ing)?(/.*)?" "http://fish.example.com/$2"

Permitting
Case-Insensitive URLs

You
want requested URLs to be valid whether uppercase or lowercase
letters are used.

Use
mod_speling to make URLs case-insensitive: CheckSpelling On

The
mod_speling module is part of the standard Apache distribution but
is not enabled by default, so you need to explicitly enable it. In
addition to making URLs case-insensitive, mod_speling, as the name
implies, provides simple spellchecking capability. In particular, in
the case of a "not found" error, mod_speling attempts to
find files that may have been intended, based on similar
spelling, transposed letters, or perhaps letters swapped with
similar-looking numbers, like O for 0 and l for 1.

Showing
Highlighted PHP Source without Symlinking

RewriteRule
"^(.+\.php)s$" "$1" [H=application/x-httpd
-php-source]

Replacing
Text in Requested URLs

RewriteRule
"(.*)string1 (.*)" "$1string2 $2" [N,PT]

The
[N] flag tells Apache to rerun the rewrite rule. This rule will get
run repeatedly until the RewriteCond fails.

The
[PT] tells mod_rewrite to pass the rewritten URL on to the rest
of Apache for any additional processing once the rewriting is
done.

If
we've reached this point in the ruleset, we know that we have a
request for an image file from within a page on another Web
site. The RewriteRule matches a request and returns Forbidden to
the client.

Redirecting
Unreferred Requests to an Explanation Page

RewriteEngine
On

RewriteCond
"%{HTTP_REFERER}" "^$"

RewriteRule
"(.*)" "/cgi-bin/need-referer" [PT,E=ORIG:$1]

Ihe
original URI is put into the environment variable ORIG for the
script to reference.

Rewriting
Based on the Query String

RewriteCond
"%{QUERY_STRING}" "^user=([^=]*)"

RewriteRule
"/people"
"http://%1.users.example.com/" [R]

The
[R] tells mod_rewrite to direct the browser to the URL
constructed by the RewriteRule directive.

Redirecting
All—or Part—of Your Server to SSL

RewriteEngine
on

RewriteCond
"%{SERVER_PORT}" "^80$"

RewriteRule
"^(.*)$" "https://%{SERVER_NAME}/$1"
[R,L]

You
can redirect particular URLs to a secure version:

RewriteRule
"^/normal/secure(/.*)" "https://%{HTTP_HOST}/$1"
[R,L]

You
can redirect particular URLs to a secure version:

RewriteRule
"^/normal/secure(/.*)" "https://%{HTTP_HOST}/$1"
[R,L]

Or,
you can simply use the Redirect directive in the http section of
httpd.conf file to to cause a URL to be served as HTTPS:

Redirect
"/" "https://secure.example.com/"

But
make sure that this appears only in in the http scope and not
in the https scope, or all https requests will loop.

Turning
Directories into Hostnames

You
want to migrate pathnames under a single hostname to distinct
hostnames.

The
OR flag is a logical "or," allowing the two
conditions to be strung together so that either one being true
is a sufficient condition for the rule to be applied.

Rewriting
Elements between Path and Query String

To
rewrite http://example.com/path/to/5 to
http://example.com/path/to?id=5 :

RewriteRule
"^(/path/to)/(\d+)" "$1?id=$2" [PT]

To
go the other way:

RewriteCond
"%{QUERY_STRING}" "\bid=(\d+)\b"

RewriteRule
"(/path/to)" "$1/%2" [PT,QSA]

Rewriting
a Hostname to a Directory

You
want requests for http://bogus.example.com/ to be turned into
requests for http://example.com/bogus/ .

RewriteCond
"%{HTTP_HOST}" "^([^.]+)\.example\.com" [NC]

RewriteRule
"(.*)" "http://example.com/%1$1" [R]"

To
do this transparently, without a redirect:

RewriteCond
"%{HTTP_HOST}" "^([^.]+)\.example\.com$" [NC]

RewriteRule
"(.*)" "/%1$1" [PT]

Turning
URL Segments into Query Arguments

You
want to turn requests of the form:
http://example.com/foo/bar.html into something like this:
http://example.com/cgi -bin/remap?page=foo/bar.html

RewriteRule
"/(.*)" "/cgi-bin/remap?page=$1" [QSA,PT]

The
QSA option allows any query-string information that was on the
original request to be retained and merged with the one being
added by the RewriteRule. The PT option tells the server to
continue processing the request rather than treating it as
completely finished.

Use
the following command forms to set up a credential file for a
realm to be protected by Digest authentication:

%
htdigest -c "By invitation only" rbowen

%
htdigest "By invitation only" krietz

unlike
entries in the password files created by htpasswd, which can be
used anywhere, these passwords can be

used
only in the specified authentication realm, because the
encrypted hash includes the realm.

Relaxing
Security in a Subdirectory

Add
the following to either the .htaccess file in the subdirectory
or in an appropriate

<Directory>
container:

Satisfy
Any

Order
Deny,Allow

Allow
from all

Lifting
Restrictions Selectively

<Directory
"/usr/local/apache/htdocs"> Satisfy All

Order
allow,deny

Deny
from all

<Files
*.html>Order deny,allow

Allow
from all

Satisfy
Any</Files></Directory>

Accessing
the Authenticated Username

Some
scripting modules, such as mod_php, provide a standard interface
for accessing values set by the server. For

instance,
to obtain the username that was used to authenticate from within
a PHP script, it would access a field in the $_SERVER
superglobal array:

$auth_user
= $_SERVER['REMOTE_USER'];

For
a Perl or mod_perl script, use:

my
$username = $ENV{REMOTE_USER};

In
a Server-Side Include (SSI) directive, this may look like:

Hello,
user <!--#echo var="REMOTE_USER" -->. Thanks for
visiting.

Preventing
Brute-Force Password Attacks

you
can use something like Apache::BruteWatch to tell you when a user
is being attacked:

PerlLogHandler
Apache::BruteWatch

PerlSetVar
BruteDatabase DBI:mysql:brutelog

PerlSetVar
BruteDataUser username

PerlSetVar
BruteDataPassword password

PerlSetVar
BruteMaxTries 5

PerlSetVar
BruteMaxTime 120

PerlSetVar
BruteNotify rbowen@example.com

Use
AuthType Basic and the htpasswd tool to control access using Basic
authentication. Use AuthType Digest and the htdigest tool for the
Digest method.

Restricting
Proxy Access to Certain URLs

You
can block by keyword:

ProxyBlock
.rm .ra .mp3

You
can block by specific backend URLs:

<Directory
proxy:http://other -host.org/path > Order Allow,Deny

Deny
from all

Satisfy
All</Directory>

Or
you can block according to regular expression pattern matching:

<Directory
proxy:*> RewriteEngine On

RewriteRule
"\.(rm|ra)$" "-" [F,NC]

RewriteRule
"^[a-z]+://[ -.a-z0-9]*\.mil($|/)" "-"
[F,NC]</Directory>

F
or forbidden, NC or nocase.

Protecting
Server Files from Malicious Scripts

Ensure
that none of your files are writable by the nobody user or the
nobody group, and that sensitive files are not readable by that
user and group:find / -user nobody; find / -group nobody

Restricting
Access to Files Outside Your Web Root

<Directory
/> Order deny,allow

Deny
from all

AllowOverride
None

Options
None</Directory>

For
Windows systems:<Directory C:/>...</Directory>

Repeat
for each drive letter on the system.

If
you wanted to create an Alias to some other section of your
filesystem, you would need to explicitly permit this:

Alias
/example /var/example

<Directory
/var/example> Order allow,deny

Allow
from all</Directory>

Limiting
Methods by User

Apply
user authentication per method using the Limit directive:

Order
Deny,Allow

Allow
from all

<Limit
GET>Satisfy Any</Limit>

<LimitExcept
GET> Satisfy All

Require
valid-user </Limit>

Rebutting
DoS Attacks with mod_evasive

Obtain
mod_evasive from http://www.zdziarski.com/projects/mod_evasive/ and
use a configuration like the following:

DOSPageCount
2

DOSPageInterval
1

DOSSiteCount
50

DOSSiteInterval
1

DOSBlockingPeriod
10

mod_evasive
detects when a single client is making multiple requests in a
short period of time, and denies further requests from that
client.

This
configuration places two restrictions on requests. First, the
DOSPage directives state that if a single client address requests
the same URL more than twice in a single second, it should be
blocked. The DOSSite directives state that if a single client
address requests more than 50 URLs in a single second, it should
be blocked. This second value is higher because sometimes a single
page will contain a large number of images, and so will result in
a larger number of requests from one client.

The
DOSBlockingPeriod directive sets the interval for which the client
will be blocked—in this case, 10 seconds.

chroot
is a Unix command that causes a program to run in a jail. That is to
say, when the command is launched, the

accessible
file system is replaced with another path, and the running
application is forbidden to access any files outside of its new
file system. By doing this, you are able to control what resources
the program has access to and prevent it from writing to files
outside of that directory, or running any programs that are not
in that directory. This prevents a large number of exploits by
simply denying the attacker access to the necessary tools.

Blocking
Worms with mod_security

You
can use mod_security third-party module to intercept common probes
before they actually reach your Web

server's
pages.

Mixing
Read-Only and Write Access to a Subversion Repository

For
a simple solution, you can use the <LimitExcept> to protect
certain files or paths such that write access requires

For
more flexible or finegrained control, combine this with the
mod_authz_svn module:

LoadModule
authz_svn_module modules/mod_authz_svn.so

<Location
"/repos"> ... AuthzSVNAccessFile
"/path/to/access -file"

<Limit
GET PROPFIND OPTIONS REPORT>Satisfy Any</Limit>

<LimitExcept
GET PROPFIND OPTIONS REPORT>Satisfy All

Require
valid-user</LimitExcept></Location>

Using
Permanent Redirects to Obscure Forbidden URLs

Add
an ErrorDocument script that issues a permanent redirect to a
"document not found" message page:

Alias
"/not-found" "/path/to/documentroot /not-found.html"

ErrorDocument
403 "/cgi/handle-403

And
in the cgi-bin/handle-403 script, something like this:

#!
/usr/bin/perl -w

print
"Location: http://example.com /not-found\r\n\r\n";

exit(0);

Installing
SSL

If
you built Apache yourself from source, just add --enable-ssl to the
./configure arguments when you build Apache to include SSL as one
of the built-in modules. The Apache SSL modules are an interface
between Apache and the OpenSSL libraries, which you must install
before any of this can work.

Generating
Self-Signed SSL Certificates

Use
the openssl command-line program that comes with OpenSSL:

Generating
the private key:

openssl
genrsa -out server.key 1024

Generating
the certificate signing request:

openssl
req -new -key server.key -out server.csr

You
must supply Common Name the correct value, which is the hostname of
the server on which this certicate will be used. It is crucial
that the hostname that you put in here exactly match the hostname
that will be used to access the site.

You
can also use the CA.pl script that comes with OpenSSL to generate a
CA certificate of your own.

Then
add the following lines in your httpd.conf configuration file:

SSLCertificateFile
"/www/conf/server.crt"

SSLCertificateKeyFile
"/www/conf/server.key"

Serving
a Portion of Your Site via SSL

You
want to have a certain portion of your site available via SSL
exclusively.

<Directory
/www/secure>SSLRequireSSL</Directory>

or:
RewriteEngine On

RewriteCond
%{HTTPS} !=on

RewriteRule
^/(.*) https://%{SERVER_NAME}/$1 [R,L]

The
entire setup might look something like this:

NameVirtualHost
*

<VirtualHost
*> ServerName regular.example.com

DocumentRoot
/www/docs

Redirect
/ https://secure.example.com/</VirtualHost>

<VirtualHost
_default_:443> SSLEngine On

SSLCertificateFile
/www/conf/ssl/ssl.crt

SSLCertificateKeyFile
/www/conf/ssl/ssl.key

ServerName
secure.example.com

DocumentRoot
/www/docs</VirtualHost>

Wildcard
Certificates

Create
a certificate with a Common Name of *.example.com,
where example.com is the domain for which you wish to use the
certificate. This certificate will now work for any hostname in the
example.com domain, such as www.example.com or secure.example.com.

Error
Handling

Customized
Error Messages

You
want to display a customized error message, rather than the
default Apache error page.

ErrorDocument
405 /errors/notallowed.htm

Redirecting
Invalid URLs to Some Other Page

ErrorDocument
404 /index.html

DirectoryIndex
index.html /path/to/notfound.html

Making
Internet Explorer Display Your Error Page

Make
the error document bigger—at least 512 bytes.

Notification
on Error Conditions

Point
the ErrorDocument directive to a CGI program that sends mail, rather
than to a static document:

ErrorDocument
404 /cgi-bin/404.cgi

Proxies

mod_proxy,
which comes with Apache, handles proxying behavior. Apache 2.2
introduces a number of submodules, such as mod_proxy_balancer,
which give additional functionality to mod_proxy.

Securing
Your Proxy Server

<Proxy
*> Order Deny,Allow

Deny
from all

Allow
from .yourdomain.com</Proxy>

Every
request for resources that goes through your proxy server
generates a logfile entry, containing the

address
of the client and the resource that she requested through
your proxy server.

It
is possible to configure your server not to log these requests.

<Directory
proxy:*> SetEnv PROXIED 1</Directory>

CustomLog
/www/logs/access_log common env=!PROXIED

Preventing
Your Proxy Server from Being Used as an Open Mail Relay

Use
mod_rewrite to forbid proxy requests to port 25 (SMTP):

<Directory
proxy:*> RewriteEngine On

RewriteRule
"^proxy:[a-z]*://[^/]*:25(/|$)" "-" [F,NC,L]
</Directory>

Forwarding
Requests to Another Server

ProxyPass
/other/ http://other.server.com/

ProxyPassReverse
/other/ http://other.server.com/

The
ProxyPassReverse directive ensures that any redirect headers sent
from the backend server will be modified so that they appear to
come from the main server.

Blocking
Proxied Requests to Certain Places

You
want to use your proxy server as a content filter, forbidding
requests to certain places.

ProxyBlock
forbiddensite.com www.competitor.com monster.com

Proxying
mod_perl Content to Another Server

You
want to run a second HTTP server for dynamically generated
content and have Apache transparently map requests for this
content to the other server.

First,
install Apache, running on an alternate port, such as port 90, on
which you will generate this dynamic content. Then, on your main
server:

ProxyPass
/dynamic/ http://localhost:90/

ProxyPassReverse
/dynamic/ http://localhost:90/

By
giving the dynamic content its own dedicated server, you allow the
static content to be served much more rapidly, and the dynamic
content has a dedicated server. Each server can have a smaller set of
modules installed than it would otherwise require because it'll
be performing a smaller subset of the functionality needed to
do both tasks.

Configuring
a Caching Proxy Server

Configure
your server to proxy requests and provide a location for the
cached files to be placed:

ProxyRequests
on

CacheRoot
/var/spool/httpd/proxy

Filtering
Proxied Content

You
want to apply some filter to proxied content, such as altering
certain words.

In
Apache 2.0 and later, you can use mod_ext_filter to create output
filters to apply to content before it is sent to the user:

You
wish to proxy content from a server, but it requires a login and
password before content may be served from this proxied site.

ProxyPass
"/secretserver/" "http://127.0.0.1:8080"

<Directory
"proxy:http://127.0.0.1:8080/">AuthName SecretServer

AuthType
Basic

AuthUserFile
/path/to/secretserver.htpasswd

Require
valid-user </Directory>

Load
Balancing with mod_proxy_balancer

Use
mod_proxy_balancer to create a load-balanced cluster:

<Proxy
balancer://mycluster>BalancerMember http://192.168.1.50:80

BalancerMember
http://192.168.1.51:80</Proxy>

ProxyPass
/application balancer://mycluster/

You
can indicate that a particular server is more powerful than
another, and so should be allowed to assume

more
of the load than other machines in the cluster.

BalancerMember
http://192.168.1.51:80 loadfactor=2

Traffic
may be balanced by traffic (bytes transferred) or by request
(number of requests made per host) by putting

additional
arguments on the ProxyPass directive:

ProxyPass
/application balancer://mycluster/ lbmethod=bytraffic

And
there is a Web-based balancer manager tool, which can be
configured as follows:

<Location
/balancer-manager>SetHandler balancer-manager</Location>

The
balancer manager lets you set servers available or
unavailable, and change their load factor, without restarting
the server. This allows you to take servers offline for
maintenance, do whatever needs to be done, and bring them back up,
without ever affecting the end user.

Proxied
Virtual Host

<VirtualaHost
*:80> ServerName server2.example.com

ProxyPass
/ http://192.168.1.52:80

ProxyPassReverse
/ http://192.168.1.52:80 </VirtualHost>

Refusing
to Proxy FTP

Make
sure that mod_proxy_ftp isn't loaded:

#
LoadModule proxy_ftp_module modules/mod_proxy_ftp.so

mod_proxy
has several helper modules that provide the protocol-specific
proxying functionality. These modules are mod_proxy_http, for
proxying HTTP requests; mod_proxy_ftp, for proxying FTP requests;
and mod_proxy_connect, for support for the CONNECT HTTP method,
used primarily for tunneling SSL requests through proxy servers.

Performance

Benchmarking
Apache with ab

ab
-n 1000 -c 10 http://www.example.com/test.html

-n
requests Number of requests to perform

-c
concurrency Number of multiple requests to make

Tuning
KeepAlive Settings

KeepAlive
On

MaxKeepAliveRequests
0

KeepAliveTimeout
15

The
default behavior of HTTP is for each document to be requested
over a new connection. This causes a lot of time to be spent
opening and closing connections. KeepAlive allows multiple
requests to be made over a single connection, thus reducing the
time spent establishing socket connections. This, in turn,
speeds up the load time for clients requesting content from
your site.

Getting
a Snapshot of Your Site's Activity

Enable
the server-status handler to get a snapshot of what child
processes are running and what each one is doing.

Enable
ExtendedStatus to get even more detail:

<Location
/server-status> SetHandler server-status

Order
deny,allow

Deny
from all

Allow
from 192.168.1</Location>

ExtendedStatus
On

Then,
view the results at the URL http://servername/server-status. You
should aslo restrict access to this handler.

Avoiding
DNS Lookups

HostNameLookups
Off

whenever
possible, Allow from and/or Deny from directives use the IP
address, rather than the hostname

of
the hosts in question DNS lookups can take a very long
time—anywhere from 0 to 60 seconds—and should be avoided at
all costs.

Optimizing
Symbolic Links

For
tightest security, use Options
SymlinksIfOwnerMatch, or Options -FollowSymLinks if you seldom
or never use symlinks.

For
best performance, use Options
FollowSymlinks.

Minimizing
the Performance Impact of .htaccess Files

Turn
on AllowOverride only in directories where it is required, and
tell Apache not to waste time looking for .htaccess file
elsewhere:

AllowOverride
None

Then
use <Directory> sections to selectively enable .htaccess
files only where needed.

.htaccess
files cause a substantial reduction in Apache's performance,
because it must check for a .htaccess in every

directory
along the path to the requested file to be assured of getting
all of the relevant configuration overrides.

<Directory
/www/htdocs/users/leopold>AllowOverride All</Directory>

you
would never have AllowOverride All enabled for your entire
filesystem. anything that appears in a .htaccess can, can instead
appear in a <Directory> section, referring to that same
directory.

Disabling
Content Negotiation

Disable
content negotiation where it is not needed. If you do
require content negotiation, use the type-map handler, rather
than the MultiViews option:

Options
-MultiViews

AddHandler
type-map var

Caching
Frequently Viewed Files

Use
mod_mmap_static or mod_file_cache (for Apache 1.3 and 2.0,
respectively) to cache these files in memory:

MMapFile
/www/htdocs/index.html

MMapFile
/www/htdocs/other_page.html

For
Apache 2.0, you can use either module or the CacheFile directive.
MMapFile caches the file contents in memory, while CacheFile
caches the file handle instead, which gives slightly poorer
performance but uses less memory:

CacheFile
/www/htdocs/index.html

CacheFile
/www/htdocs/other_page.html

Caching
Directory Listings

You
want to provide a directory listing but want to reduce the
performance hit of doing so.

Use
the TrackModified argument to IndexOptions to allow browsers to
cache the results of an auto-generated directory index:

IndexOptions
+TrackModified

Caching
Dynamic Content

You
want to cache dynamically generated documents that don't actually
change very often.

Files
that are password-protected are automatically omitted from
directory listings.

Sorting
the List

IndexOrderDefault
Descending Date

The
possible arguments to IndexOrderDefault
are:Name,Date,Size,Description.

Specifying
How the List Will Be Formatted

There
are three levels of formatting that can be set. The list may be
unformatted, formatted, or can be rendered in an HTML table. To
enable fancy indexing, do the following:

IndexOptions
FancyIndexing

IndexOptions
FancyIndexing HTMLTables

Listing
the Directories First:IndexOptions FoldersFirst

Ordering
by Version Number:IndexOptions VersionSort

Showing
Forbidden Files

By
default, Password -protected files and directories don't show up
in the directory listing.

IndexOptions
+ShowForbidden

Miscellaneous
Topics

Renaming
.htaccess Files: AccessFileName ht.access

If
you use the AccessFileName directive, be sure to make any
additional appropriate changes to your configuration such as the
<FilesMatch "^\.ht"> container that keeps the
files from being fetchable over the Web:

You
also can provide a relative URL if you want to load content from
some other directory, such as a CGI program:

DirectoryIndex
/cgi-bin/index.pl

Setting
Up a Default "Favicon"

favicon.ico
files allow Web sites to provide a small (16 x 16 pixels) image to
clients for use in labeling pages; for instance, the Mozilla
browser will show the favicon in the location bar and in any
page tabs.

AddType
image/x-icon .ico

<Files
favicon.ico>ErrorDocument 404 /icons/favicon.ico</Files>

Enabling
.htaccess Files

Add
the following line to your httpd.conf file in a scope that
applies to the directory (or directories) for which you want to
enable .htaccess files:

The
directive-type can be one of the following groupings of directives:
AuthConfig, FileInfo, Indexes, Limit, Options[=Option,...].

Using
Regular Expressions in Apache

RedirectMatch
^/[sS]upport/(.*) http://support.example.com/$1

Troubleshooting

Debugging
Rewrites That Result in "Not Found" Errors

If
your RewriteRule directives keep resulting in 404 Not Found error
pages, add the PT (PassThrough) flag
to the RewriteRule line. Without this flag, Apache won't process a
lot of other factors that might apply, such as Alias settings.You
can verify that this is the cause of your problem by cranking the
mod_rewrite logging level up to 9 and seeing that the entries
relating to the RewriteRule mention something about prefixes
with document_root: